AN IMPROVEMENT OF STRONG PROXY SIGNATURE AND ITS

APPLICATIONS

Min-Shiang Hwang

Department of Management Information Systems, National Chung Hsing University

250 Kuo Kuang Road, 402 Taichung, Taiwan, R.O.C.

Shiang-Feng Tzeng

Department of Computer Science and Information Engineering, National Central University

No. 300, Jung-da Rd., Jung-li City, 320 Taoyuan, Taiwan, R.O.C.

Shu-Fen Chiou

Department of Computer Science and Engineering, National Chung Hsing University

250 Kuo Kuang Road, 402 Taichung, Taiwan, R.O.C.

Keywords:

Cryptography, digital signature, proxy signature, multi-proxy signature.

Abstract:

In 2001, Lee et al. proposed a strong non-designated proxy signature for the use of multi-proxy signatures at

the presence of plural delegations of multiple original signers. In this paper, we shall analyze their schemes

and offer some suggestions as to how to improve the security of those schemes.

1 INTRODUCTION

Proxy signature schemes (Mambo et al., 1996a),

(Mambo et al., 1996b) are what original signers can

use to delegate their signing capability to so-called

proxy signers. In these schemes, a proxy signature

key is created by using the original signer’s signa-

ture key. Then the proxy signer creates a signa-

ture to sign on behalf of the original signer. Several

proxy signature schemes have been widely studied

(Das et al., 2007), (Gu et al., 2005), (Guo and Liu,

2006), (Hwang et al., 2000), (Kim et al., 1997), (Pe-

tersen and Horster, 1997), (Sun, 1999), (Tzeng et al.,

2002). In 2001, Lee et al. proposed a proxy signature

scheme (Lee et al., 2001b). They have considered a

number of possible attacks on their predecessors in

their scheme.

Based on the types of weaknesses, Lee et al. (Lee

et al., 2001b) have classiﬁed proxy signatures into

strong and weak ones in terms of undeniability. A

strong proxy signature can work both as an original

signer’s signature and as a proxy signer’s signature,

while a weak proxy signature can only act as an orig-

inal signer’s signature.

In addition, Lee et al. (Lee et al., 2001b) have

also classiﬁed proxy signatures into designated and

non-designated ones in terms of the designation of the

proxy signer. They have shown that a strong proxy

signature can be used without any proxy signer be-

ing designated, because the proxy signature has ex-

plicit authentic information about the proxy signer.

Based on the above classiﬁcations, Lee et al. have

proposed a Strong Non-designated Proxy Signature

(SNPS) scheme and applied it to multi-proxy signa-

ture schemes in which multiple original signers del-

egate their signing capabilities to unspeciﬁed proxy

signers.

In this article, we shall show various attacks on

the above SNPS scheme and the SNPS-implemented

multi-proxy signature scheme. Those schemes can-

not satisfy the strong unforgeability requirement. Any

third party or original signer is not designated as a

proxy signer and thus is not allowed to create a valid

proxy signature of the proxy signer. However, the

original signer, or one of the original signers, can

forge a valid proxy signature for the proxy signer

which the proxy signer cannot repudiate.

In Sections 2 and 3, we shall review the SNPS

scheme and observe how it can be applied to the con-

struction of a multi-proxy signature scheme, and we

shall also point out their weaknesses, respectively. In

Section 4, our improved schemes and the security

analysis of the improved schemes will be proposed

and presented. Finally, the concluding remarks will

Hwang M., Tzeng S. and Chiou S. (2008).

AN IMPROVEMENT OF STRONG PROXY SIGNATURE AND ITS APPLICATIONS.

In Proceedings of the International Conference on Security and Cryptography, pages 95-98

DOI: 10.5220/0001919800950098

 SciTePress

be in the last section.

2 THE SNPS SCHEME AND ITS

APPLICATION

In this section, we shall brieﬂy review the Lee et

al.’s SNPS scheme (LKK-SNPS for short) (Lee et al.,

2001b) and its contribution to a multi-proxy signature

scheme (Lee et al., 2001b).

2.1 Review of the SNPS Scheme

There are three phases in the LKK-SNPS scheme:

proxy key issuing, proxy signer signing, and proxy

signature verifying. Initially, the system parameters

are deﬁned as follows.

Let p be a large prime, q be a prime factor of p−1,

g be a generator of order q ∈ Z

∗

, and h(·) be a one-way

hash function. The warrant m

records the identity of

the original signer and the valid delegation time, etc.

does not include the identity of any proxy signer.

Each user U

owns a private key x

∈ Z

∗

and cor-

responding public key y = g

mod p, which are cer-

tiﬁed by the certiﬁcate authority (CA). Let U

be the

original signer and U

be the proxy signer.

• Proxy Key Issuing: U

chooses a random num-

ber k and computes r = g

mod p and σ =

h(m

, r) +k mod q. The tuple (m

, r, σ) is U

’s

signature on m

. U

sends (m

, r, σ) to U

. Af-

ter receiving (m

, r, σ), U

veriﬁes by checking

whether the following equation holds:

= y

h(m

,r)

r mod p. (1)

If it holds, U

computes her/his proxy private key

= σ +x

mod q. (2)

• Proxy Signer Signing: If a message m conforms

to m

, U

can generate a proxy signature on m

as s = S(σ

, m) using her/his proxy private key

, where S(·) is a general signature generation

algorithm. The tuple (m, s, m

, r, y

, y

) is a valid

proxy signature.

• Proxy Signature Verifying: The veriﬁer computes

the corresponding proxy public key:

y = y

h(m

,r)

mod p.

The veriﬁer can verify (m, s, m

, r, y

, y

) by

checking if m ∈ {m

} and V (y, m, σ)

true,

where V (·) is a general signature veriﬁcation al-

gorithm. If those expressions hold, the proxy sig-

nature (m, s, m

, r, y

, y

) for m is valid.

2.2 Review of the Multi-Proxy

Signature Scheme

Let G = {U

, U

, ··· , U

} be the original group of

n original signers. Now, they are trying to delegate

their signing capabilities to some unspeciﬁed proxy

signers. First, they can perform the same steps as the

proxy key issuing phase in SNPS scheme. Each U

∈

G sends (m

, r

, σ

) to U

After receiving (m

, r

, σ

), U

veriﬁes it by

Equation (1). If U

wants to create a proxy signature

on behalf of G under warrants {m

, m

, ··· , m

she/he has to generate her/his proxy private key σ

= σ

+ ···+ σ

+ x

mod q. (3)

If her/his message m conforms to

, m

, ··· , m

}, U

can create a proxy

signature on m as s = S(σ

, m). The tuple

(m, s, m

, r

, y

, ··· , m

, r

, y

) is a valid

proxy signature.

Then, any veriﬁer can generate the proxy public

key y as

y = y

h(m

)

···y

h(m

)

mod p.

Then, the veriﬁer can check the validity of proxy

signature by examining if V (y, m, s)

true and m ∈

, m

, ··· , m

3 CRYPTANALYSIS

In this section, we shall analyze the security of

the SNPS scheme and the SNPS-implemented multi-

proxy signature scheme.

3.1 Cryptanalysis of the SNPS Scheme

In this subsection, we will show that the LKK-SNPS

scheme is vulnerable to the public key substitution

and direct forgery attacks. The original signer can

generate a valid proxy signature key σ

with respect

to an arbitrary user. Let the arbitrary user be some

proxy signer U

In the public key substitution attack, U

can make

the public key substitution attack feasible. U

se-

lects a random number k ∈ Z

, and computes r =

mod p. Then, she/he selects a random number

α ∈ Z

and updates her/his public key y

by y

−h(m

,r)

−1

) mod p. Thus, the valid proxy signa-

ture key is σ

= αh(m

, r) + k mod q. The following

expressions show why σ

is valid.

y = y

h(m

,r)

= (g

−h(m

,r)

−1

))

h(m

,r)

= g

αh(m

,r)

r = g

mod p.

SECRYPT 2008 - International Conference on Security and Cryptography

Finally, U

can forge a valid proxy signature (m,

s, m

, r, y

, y

). In fact, U

has never signed the

message m, but she/he cannot deny it.

In the direct forgery attack, U

randomly selects

a number k ∈ Z

and computes r = g

−1

mod p.

Then, she/he computes a valid proxy signature key

= x

h(m

, r) + k mod q because

y = y

h(m

,r)

= y

h(m

,r)

−1

= y

h(m

,r)

= g

mod p.

Similarly, U

can forge a valid proxy signature,

and U

cannot deny to signing the message m.

3.2 Cryptanalysis of the Multi-Proxy

Signature Scheme

In this subsection, we will show that the Lee-Kim-

Kim multi-proxy signature is vulnerable to the col-

lusion attack, the public key substitution attack, and

the direct forgery attack. Cooperation of all the origi-

nal signers or one malicious original signer can forge

valid multi-proxy signatures.

Without loss of generality, suppose

, U

, ··· , U

} want to forge a multi-proxy

signature on m for an arbitrarily chosen proxy

signer U

by collusion attack. U

ﬁrst selects

and computes r

= g

−1

mod p and σ

h(m

, r

) + k

mod q. Thus, the valid multi-

proxy signature key is σ

= σ

+··· + σ

mod q. The

following expressions show why σ

is valid.

y = y

h(m

)

···y

h(m

)

= y

h(m

)

−1

)···y

h(m

)

= y

h(m

)

···y

h(m

)

= g

∑

i=1

mod p.

Therefore, all the original signers can work to-

gether and use σ

to generate a forged multi-proxy

signature on an arbitrary message m for an arbitrary

proxy signer U

In the public key substitution attack, any orig-

inal signer can forge valid multi-proxy signatures

by updating her/his own public key. Suppose

that U

wants to forge a multi-proxy signa-

ture on m for {U

, U

, ··· , U

}. This attack is

similar in Section 3.1. U

ﬁrst selects random

numbers m

, k

for i = 1, 2, ··· , n, and α, and

then she/he computes r

= g

mod p and y

h(m

)

···y

h(m

)

−h(m

)

−1

mod

p. Then, U

makes a request to CA for updating

her/his public key by y

. Thus, the valid proxy

signature key is σ

= αh(m

, r

) + k

mod q, and

its corresponding proxy public key is y = g

mod p.

This is because

y = y

h(m

)

··· y

h(m

)

= (g

h(m

)

··· y

h(m

)

−h(m

)

−1

)

h(m

)

··· y

h(m

)

= g

αh(m

)

= g

mod p.

Therefore, U

can use σ

to generate a forged

multi-proxy signature on an arbitrary message m for

, U

, ··· , U

In the directing forgery attack, we assume U

wants to forge a multi-proxy signature on m for

, U

, ··· , U

}. The forgery attack is also similar

in Section 3.1. U

ﬁrst selects random numbers m

and k

for i = 1, 2, ··· , n, and then she/he computes

= g

h(m

)

···y

h(m

)

−1

mod p.

Then the valid proxy signature key is σ

h(m

, r

) + k

mod q, and its corresponding

proxy public key is y = g

mod p. This is because

y = y

h(m

)

···y

h(m

)

= y

h(m

)

h(m

)

···y

h(m

)

−1

···y

h(m

)

= y

h(m

)

= y

mod p.

Therefore, U

can use σ

to generate a forged

multi-proxy signature on an arbitrary message m for

, U

, ··· , U

4 OUR IMPROVEMENT

In this section, we modify the SNPS scheme and its

multi-proxy signature scheme to remedy the weak-

nesses described in Section 3.

4.1 The Improved Schemes

In the SNPS scheme, the proxy signature can be

forged by the original signer. We modify the scheme

as follows. In the proxy signer signing phase, we turn

Equation (2) into

= σ +x

h(m

, r, y

) mod q.

Therefore, the proxy public key y becomes

y = y

h(m

,r)

h(m

,r,y

)

mod p.

To remedy the weaknesses of the multi-proxy sig-

nature scheme, we shall treat it similarly. The new σ

in Equation (3) is

∑

i=1

+ x

h(m

, r

, y

, ··· , m

, r

, y

) mod q.

AN IMPROVEMENT OF STRONG PROXY SIGNATURE AND ITS APPLICATIONS

Therefore, the proxy public key y becomes

y = y

h(m

)

···y

h(m

)

h(m

,···,m

)

mod p.

4.2 Security Analysis

The improved schemes can withstand all the above

attacks in Section 3. In the SNPS scheme, suppose

the signer U

is a malicious original signer. U

selects

a random integer α and makes her/his public key y

satisfy the following equation

= g

−h(m

,r,y

)

−1

) mod p.

If U

ﬁxes the integer y

, she/he will have to solve

the discrete logarithm problem to ﬁnd the value of α;

on the other hand, if U

ﬁrst determines the integer

α, then she/he has to obtain the value of y

by solv-

ing the difﬁcult problem. Therefore, the public key

substitution attack is not likely to work.

As for the directing forgery attack, the secu-

rity analysis is the same as that of the public key

substitution attack on the improved schemes. The

proxy signature cannot be forged by direct forgery at-

tack. Therefore, those attacks on the improved SNPS

scheme and its application to multi proxy signatures

are impossible since it is difﬁcult to obtain the proxy

signature.

5 CONCLUSIONS

In this paper, we have shown that strong non-

designated proxy signature schemes and their appli-

cations to multi-proxy signature schemes are vulner-

able to some attacks. The malicious original signer

can forge valid strong non-designated proxy signa-

tures and multi-proxy signatures. Furthermore, the

proxy signer cannot repudiate the forged proxy sig-

natures. Therefore, we have also presented our im-

proved scheme to defeat those attacks.

Lee et al. have also presented several mobile ap-

plications of strong proxy signatures. In (Lee et al.,

2001a), Lee et al. have shown that mobile agents can

be constructed by using strong non-designated proxy

signatures. However, the same attacks on strong

non-designated proxy signatures can be generalized

to work on Lee-Kim-Kim “secure” mobile agents.

Again, our improved scheme can be used here to de-

feat these attacks.

ACKNOWLEDGEMENTS

This work was supported in part by Taiwan Infor-

mation Security Center (TWISC), National Science

Council under the grants NSC 96-2219-E-001-001,

and NSC 96-2219-E-009-013.

REFERENCES

Das, M. L., Saxena, A., and Phatak, D. B. (2007). Proxy sig-

nature scheme with effective revocation using bilinear

pairings. International Journal of Network Security,

4(3):312–317.

Gu, L. Z., Zhang, S., and Yang, Y. X. (2005). An im-

proved proxy multi-signature scheme. The Journal of

China Universities of Posts and Telecommunications,

12(1):10–14.

Guo, L. and Liu, Y. (2006). Security analysis and improve-

ment of hsu et al. threshold proxy signature scheme.

International Journal of Network Security, 2(1):69–

72.

Hwang, M. S., Lin, I. C., and Lu, E. J. L. (2000). A secure

nonrepudiable threshold proxy signature scheme with

known signers. International Journal of Informatica,

11(2):1–8.

Kim, S., Park, S., and Won, D. (1997). Proxy signatures,

revisited. Proc. of ICICS’97, LNCS 1334, pages 223–

232.

Lee, B., Kim, H., and Kim, K. (2001a). Secure mobile

agent using strong non-designated proxy signature. In

Lecture Notes in Computer Science 2119, ACISP 01,

pages 474–486, Sydney, Australia.

Lee, B., Kim, H., and Kim, K. (2001b). Strong proxy signa-

ture and its applications. In The 2001 Symposium on

Cryptography and Information Security, pages 603–

608, Oiso, Japan.

Mambo, M., Usuda, K., and Okamoto, E. (1996a). Proxy

signatures: Delegation of the power to sign message.

IEICE Trans. Fundamentals, E79-A(9):1338–1353.

Mambo, M., Usuda, K., and Okamoto, E. (1996b). Proxy

signatures for delegating signing operation. Proc.

Third ACM Conf. on Computer and Communications

Security, pages 48–57.

Petersen, H. and Horster, P. (1997). Self-certiﬁed keys -

concepts and applications. In Communications and

Multimedia Security’97, pages 102–116, Chapman &

Hall.

Sun, H. M. (1999). An efﬁcient nonrepudiable threshold

proxy signature scheme with known signers. Com-

puter Communications, 22(8):717–722.

Tzeng, S.-F., Yang, C.-Y., and Hwang, M.-S. (2002). A

nonrepudiable threshold multi-proxy multi-signature

scheme with shared veriﬁcation. Proceeding of 12

National Conference on Information Security, R.O.C.,

pages 285–292.

SECRYPT 2008 - International Conference on Security and Cryptography